Introduction
There is a lot of backlash going on right now following the release of Ledger's recover program so in this video I'll give you the whole Lowdown of what The Ledger recovery program is, what it actually impacts, and is a security risk, and what is not and what I'm doing to stay safe. In fact, I probably will be switching to another provider, so let's get into it.
What is The Ledger recovery program? This is a subscription-based feature that allows users to store their seed phrase online for an easy recovery process in case you lose your seed phrase like the piece of paper, and this costs nine dollars per month. It isn't a compulsory purchase or the default setting for all Ledgers; the users actually have to opt in to purchase this feature and enable it. Once it is activated, the backup is then divided into three portions and then stored across three separate companies: Ledger themselves, Coincover, and Escrowattack.
In order to set this up, you have to complete KYC identification and include a document and a selfie recording. Then when you want to recover your seed from this program, you connect your Ledger, go on The Ledger website, and then again you have to complete KYC to verify that you are yourself, and then those three parties come together with shards of your seed phrase, and then they can piece it together to recover your whole account.
Now for the time being, this program is only available for the newer larger Nano X model. For the older larger Nano S, they aren't affected, and you cannot use them yet.
Security Risks
security risk and the controversy around this. The idea of the seed phrase leaving the hardware wallet really did not resonate with many users, and we cannot blame them because, in fact, The Ledger themselves have stated before on Twitter to answer questions. They said, "Your private keys never leave the secure element chip on the device, which has never been hacked. This secure element is third party certified, sealed, air gapped, and the technology is the same as the ones used in passports and credit cards." So they have always advertised this way, that your privacy is only stored in the device and it cannot ever leave the device.
But now, with this Ledger recovery program, even though the program takes your seed and splits it into three shards, encrypts them, and sends them to trusted third-party providers, and it's gated through KYC (Know Your Customer), and they do all this with your consent when you opt in, there is now a path within the software of Ledger that can take the seed phrase or the private key out of the secure element and upload it to other third-party providers.
CZ from Binance also chimed in, saying that the seed phrase can leave the device. Now, this sounds like a different direction than the previous claim that your keys never leave the device. To make things even worse, The Ledger support team on Twitter has handled this very poorly, using language like, "Technically, it's always possible; you just trusted us not to do it and not to write firmware that facilitates extracting your seed from the device."
This has understandably made many people rightfully angry. Many users went on Twitter and called for everyone to stop using Ledger because they've shown nothing but incompetence in handling this security issue. They've even publicly admitted that before, they said it cannot leave the device, but now they acknowledge that there's potentially a back door that allows trusted third parties to extract the seed and encrypt it in order to provide this recovery program.
So how big of a problem is this?
Let's break down a few key aspects people are angry about. First, splitting the seed phrases as a backup is not a problem by itself. This is actually a good practice. Expert users tend to split up their seed phrase to diversify the risk of having a single point of failure, like a single paper seed phrase. Even Vitalik Buterin, the co-founder of Ethereum, uses this method to store his personal Ethereum and wealth, splitting up his seed phrase into multiple pieces. So, splitting seed phrases is not a problem.
Regarding The Ledger recovery program and the KYC process, and how people are worried about data leaks, this might not be a problem by itself, as the program is opt-in. You can choose not to engage with KYC and leak your information by simply not opting into the program. However, even though this program is optional, it's still advisable for users not to use it. Once your seed phrase is backed up, there's no going back. And if someone steals your identity and passes KYC with the recovery providers, they could potentially restore your wallet and steal your funds. It shifts the security from mathematics and cryptography to trust in third-party providers.
In more extreme scenarios, governments or courts could subpoena your crypto wallet, potentially forcing the recovery providers and Ledger to give up your seed phrases due to legal obligations. Since these providers are companies, they have to comply with the law.
The former CEO and one of Ledger's co-founders also commented on Reddit, stating that if you are a recovered user and have your shard safeguarded by third parties, a government could subpoena them and gain access to your funds.
Lastly, one of the biggest problems is that The Ledger recovery program reveals Ledger's new firmware. In fact, most hardware wallets have firmware that can be customized and potentially include backdoors. Technically, it's possible to write firmware that facilitates key extraction, although users trust Ledger not to deploy such firmware. With the recovery program, it becomes clear that you don't even need to give them the seed phrase manually. All you need to do is provide your consent, and they have the power to extract your seed from the secure element. This undermines the security promise of Ledger's secure element.
This situation should serve as a wake-up call for all users to understand how their wallets really work. Experts reveal that all hardware wallets technically have the ability to make changes to the firmware that can extract your seed and private keys. It's crucial for users to be aware of the potential risks and to consider alternative options that offer more transparent and secure recovery solutions.
Should You Still Use Ledger?
Hardware wallets still provide the best combination of security and convenience. Using an exchange or a hot wallet is inherently riskier because your private keys are constantly exposed to the internet and third parties. Even with Ledger, even with the recovery program, you're still much more secure when using it in combination with MetaMask. It remains a highly secure and convenient option compared to using a phone wallet, exchange, or just MetaMask.
However, if you're looking to store your coins for an extended period and convenience isn't your top priority, physical backups like paper wallets or steel backups, which store your seed phrases as steel characters, offer increased security and longevity. These options are not subject to firmware updates, ensuring that nothing can go wrong.
Personally, I continue to use a hardware wallet for my daily and long-term storage needs, and I plan to stick with it because it's the best option for me. I've used Ledger for the past six years without any issues, and I've always had a positive experience with them. However, this recent incident has made me seriously consider switching to an alternative.
In my view, the best option at present is the Trezor Model T. While both Ledger and Trezor share similar concerns regarding firmware trust issues that could theoretically allow for the installation of backdoors, Trezor has a significant advantage. Trezor is open source, meaning their firmware and updates are open for public inspection. Savvy users can download, compile, and verify the code to ensure there are no backdoors. With Ledger, you cannot do this; it's closed source. Ledger provides a changelog for firmware updates, but you can't verify the completeness of the features. Hidden features could potentially exist without your knowledge.
I'm not suggesting that every user must personally verify all firmware updates with their Trezor device, as not everyone is a developer with that ability. However, the fact that it's open source allows penetration testers and white hat hackers to actively check and confirm the security of firmware updates, adding an extra layer of trust for users.
Considering the recent concerns about firmware backdoors, if you're worried about this aspect of the Ledger recovery program, using a Trezor is a safer choice. Other wallets, such as the GridPlus Lattice, Keystone, and SafePal, have been recommended by some users. These brands seem legitimate and claim features like air-gapping and being open source, which can enhance security. However, proven security typically comes from a wallet's history of remaining incident-free over time.
This is why Ledger and Trezor have consistently been top choices when recommending hardware wallets, as they have established a track record of trust and reliability. If I were to switch from Ledger, Trezor would be my preferred alternative, and I would recommend it to others. Keep in mind that there are other options, and I plan to conduct a thorough comparison of the top hardware wallets, including Keystone and SafePal, to provide users with more insights and choices.